Medium Privacy Policy


Effective Date: April 10, 2014

Medium Privacy Policy

Privacy is important. We respect yours.

General information

This policy sets out our privacy practices and explains how we handle the information we collect when you visit and use our sites, services, mobile applications, products, and content provided by Medium, in existence now or in the future (“Medium Services”). Please read it carefully.

What we may collect

We collect information about what Medium pages you access or visit, information about your mobile device (such as device or browser type), information volunteered by you (such as through registration), the URLs of websites that referred you to us, and e-mail addresses of those who communicate with us via email.

When you log into Medium Services or load a web page from Medium Services, we collect and store your Internet Protocol address. We may use this information to fight spam, malware, and identity theft; to personalize Medium Services for you; or to generate aggregate, non-identifying information about how people use Medium Services.

When you create your Medium account, and authenticate via a third-party service like Twitter, we may collect, store, and periodically update the contact lists associated with that third-party account, so that we can make it easy for you to connect with your existing contacts from that service who are also on Medium.

Email communications with us

We may occasionally need to email you some administrative info, tell you something important about your account or changes to our services, or update you on new policies. In really tough situations, like when we got dumped that one time, we might just need to vent about how unfair life is. Except for that last scenario, which won’t actually happen, these administrative communications are considered a basic part of Medium Services, and you may not be able to opt out from receiving them. You can always opt out of non-administrative emails.

We will never email you to ask for your password or other account information. If you receive such an email, send it to us so we can take action against the evildoer.

Disclosure of your information

The information we collect is used to provide and improve Medium Services and content and prevent abuse. We don’t sell personal information about our users to any third party.

While Medium endeavors to provide the highest level of protection for your information, we may share your personal information with third parties in limited circumstances, including: (1) with your consent; or (2) when we have a good faith belief it is required by law, such as pursuant to a subpoena or other judicial or administrative order.

If we’re going to release your information, our policy is to provide you with advance notice unless we are prohibited from doing so by law or court order (e.g., under laws such as 18 U.S.C. § 2705(b), also known as gag orders). If you do not challenge the disclosure request, we may be legally required to turn over your information.

We may disclose your information without providing you with prior notice if we believe it’s necessary to prevent imminent and serious bodily harm to a person. In that case, we will endeavor to provide you with post-disclosure notice when permitted by law.

We will independently object to requests for access to information about users of our site that we believe to be improper.

If we’re acquired by or merged with another company and your information becomes subject to a different privacy policy, we’ll notify you before the transfer. You can opt out of the new policy by deleting your account during the notice period.

Public user content

Medium is meant for publishing public, not private, content. By default, whatever you share through Medium Services is public. Although we do provide tools that let you write and edit draft content prior to publication, you should assume that any content you provide us may become publicly accessible.

Content published and shared through Medium Services is publicly accessible, which means that everyone, including search engines, will be able to see it. This content may also be copied and shared by others throughout the Internet, including through features native to Medium Services, such as commenting and embedding.

You are free to remove published content from your account, or even disable your account entirely. However, because of the fundamentally open nature of the Internet, the strong possibility that others will comment on or embed your content, and technological limitations inherent to Medium Services, copies of your content may exist elsewhere indefinitely, including in our systems.

Cookies

A cookie is a small piece of text, which often includes an anonymous unique identifier, sent to and saved by your web browser when you access a website.

We use cookies to enable our servers to recognize your web browser and tell us how and when you use Medium Services. We use cookies to identify whether you have logged in and recognize that your web browser has accessed aspects of Medium Services, and we may associate that information with your account if you have one. This information, in turn, is sometimes used to personalize your experiences on Medium Services when you are logged in. To measure the deliverability of our emails to users, we may embed information in them, such as a web beacon or tag.

Most browsers have an option for disabling cookies, but if you disable them you won’t be able to log into your Medium account, and won’t be able to use the vast majority of Medium Services.

We respect Do Not Track (“DNT”) settings in browsers. If you are logged out of our services and have DNT enabled, we will not set cookies that can be used to aggregate information about your usage. We may use some cookies to enhance your experience by storing preferences or options. Again, you must have cookies enabled in order to log into our services.

Some third-party services that we use, such as embed.ly, may place their own cookies in your browser. Note that this Privacy Policy covers our use of cookies only and not the use of cookies by third parties.

Data Storage

Medium uses third-party vendors and hosting partners, such as Amazon, to provide the necessary hardware, software, networking, storage, and related technology we need to run Medium. Although Medium owns its code, databases, and all rights to the Medium application, you retain all rights to your content.

We maintain two types of logs: server logs and event logs.

Server logs: Like most websites, our servers automatically record the page request made when you visit our sites. We have two types of server logs: nginx and application. These server logs may include your web request, IP address, browser type, browser language, the date and time of your request, and one or more cookies that may uniquely identify your browser. We will delete all server logs after 9 months or earlier.

Here is an anonymized example of an nginx log entry for a user who views a post:

01.01.01.01 — — [10/Apr/2014:18:04:24 +0000]+0.018 “GET /p/xxxxxxxxxxx HTTP/1.1" 410 2467 “http://www.google.com" “Mozilla/5.0 (Windows; U; Win 9x 4.90; SG; rv:1.9.2.4) Gecko/20101104 Netscape/9.1.0285" “1010101010101:10x10x10x10x” “-” “medium.com

The parts are as follows:

  • IP address (01.01.01.01)
  • Timestamp + request time ([10/Apr/2014:18:04:24 +0000]+0.018)
  • HTTP request, method + path + HTTP version (“GET /p/xxxxxxxxxxx HTTP/1.1”)
  • HTTP status returned (410)
  • Response length in bytes (2467)
  • Referrer (http://www.google.com)
  • User agent (Mozilla/5.0 (Windows; U; Win 9x 4.90; SG; rv:1.9.2.4) Gecko/20101104 Netscape/9.1.0285)
  • Internal transaction ID (1010101010101:10x10x10x10x)
  • Medium client identifier (“-”)
  • Host (medium.com)

Event logs: Our event logs record user actions on the site, such as clicking through stories or scrolling. Event logs do not contain IP addresses, user names, user addresses, or user email addresses. They do contain user IDs generated by Medium, as well descriptions of action users take on the site. We may keep event logs indefinitely.

Here is an example of an anonymized event log entry for a user who views a post:

{“tags”: {“usergroup”: “1"},”isAuthenticated”: false,”userId”: “lo_10101010101", “id”: “xx0101010101",”type”: “emit”,”client”: “web”,”createdAt”: 1397152749513,”reportedAt”: 1397152747909,”name”: “post.xoxoxoxoxo”, “value”: 1,”data”: {“location”: “https://medium.com/matter/22979c8ec9d6", “referrer”: “http://tech.slashdot.org/submission/3475293/are-the-deaf-being-silenced?sdsrc=rel","userId": “lo_10101010101", “collectionSlug”: “matter”, “postId”: “22979c8ec9d6"}}

The parts are as follows:

  • tags: arbitrary tag about the user
  • usergroup: arbitrary grouping for users
  • isAuthenticated: whether the user was logged in
  • userId: the user that performed the event
  • id: unique event id, internal-only
  • type: internally used to handle processing the event
  • client: device type
  • createdAt: timestamp when the event was processed
  • reportedAt: timestamp when the event was reported by the client
  • name: identifier for the type of event
  • data: arbitrary metadata, different for each event type
  • location: url where the event happened
  • referrer: http referrer
  • userId: the user that viewed the post
  • collectionSlug: the collection the post was in when it was viewed
  • postId: the post that was viewed

Modifying your personal information or deleting your account

If you are a registered Medium user, you can access or modify your personal information or delete your account here.

If you deactivate your account, you can reactivate it within 30 days by logging back in. After 30 days, your account and content will be deleted and unrecoverable.

We aim to maintain our services in a manner that protects information from accidental or malicious destruction. This means that after you delete information from our services, we may not immediately delete residual copies from our active servers and may not remove information from our backup systems.

Data security

We use encryption (HTTPS/TLS) to protect data transmitted to and from our site. However, no data transmission over the Internet is 100% secure, so we can’t guarantee the absolute security of this data. You use the service at your own risk, and you are responsible for taking reasonable measures to secure your account (such as keeping your password secret).

Children

Medium Services are intended for general audiences and are not directed to children under 13. We don’t knowingly collect personal information from children under 13. If you become aware that a child has provided us with personal information, please contact us here. If we learn that a child under 13 has provided us with personal information, we take steps to remove such information and terminate the child’s account.

Changes to this Policy

Medium may periodically update this policy. We will notify you about significant changes in the way we treat personal information by sending a notice to the primary email address specified in your Medium account or by placing a prominent notice on our site before the changes take effect.

The most current version of the policy will always be here and we will archive former versions of the policy here.

Questions

We welcome questions, concerns, and feedback about this policy. If you have any suggestions for us, feel free to let us know at terms@medium.com.

Go to Medium Policy

Medium Policy

Written by Medium

Email me when Medium Policy publishes stories